The Now Platform® Washington DC release is live. Watch now!

Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Azure Sentinel and Security Incident Response integration is now available on store!

Hareesh Namavar
ServiceNow Employee
ServiceNow Employee

on ‎06-17-2021 11:26 PM

Microsoft Azure Sentinel and Security Incident Response integration is now available on store! 

The much-awaited Microsoft Azure Sentinel and Security Incident Response integration is live on ServiceNow store! 

Summary of the integration 

The Microsoft Azure Sentinel Incident Ingestion Integration for Security Operations allows you to discover Microsoft Azure Sentinel API incidents that are candidates for security incidents and automate the creation of security incidents and enable automated response actions. 

Overview

find_real_file.png

Key features 

This integration includes the following key features: 

  • Discover Microsoft Azure Sentinel incidents that are candidates for security incidents and automate the creation of security incidents. 
  • Mapping of Microsoft Azure Sentinel incident and entity fields to SIR security incident fields. 
  • Filtering of Microsoft Azure Sentinel incidents. 
  • Aggregation of similar incidents to existing open security incidents so that you don't have to create duplicate security incidents. 
  • Automatic Microsoft Azure Sentinel incident status update for SIR security incident creation and closure. 
  • Scheduled ingestion of incidents that create security incidents periodically. 
  • Synchronisation of Microsoft Azure Sentinel incident comments with SIR Work notes. 

Supported Platform versions: Quebec and Paris 

Link to the app on the store: https://store.servicenow.com/sn_appstore_store.do#!/store/application/2e79ad6cfe4220103a962200674b7b... 

 Link to product documentation: 

https://docs.servicenow.com/bundle/quebec-security-management/page/product/secops-integration-sir/se... 

 High level demo of the integration: 

https://www.youtube.com/watch?v=LEWqi98fv3o 

 

Comparing Microsoft Azure Sentinel and Microsoft Graph Security API integrations with SIR 

 You can view the differences between Microsoft Azure Sentinel and Microsoft Graph Security API integrations and choose the right integration with your Now Platform instance. 

 Microsoft Azure Sentinel Incident Ingestion  integration overview 

 Microsoft Azure Sentinel is a cloud-based security information event management (SIEM) and security orchestration automated response (SOAR) solution.  

 The Microsoft Azure Sentinel Incident Ingestion integration allows you to automatically fetch incidents from Azure Sentinel and convert them into security incidents and enable automated response actions. 

 Microsoft Graph Security API integration  overview 

 The Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface for connecting multiple security providers (Native to Microsoft as well as ServiceNow Partners). 

The Microsoft Graph Security API integration addresses these issues by using the Microsoft Graph Security API to connect with different Microsoft security technologies like Azure Sentinel, Microsoft Defender Advanced Threat Protection, and Azure Advanced Threat Protection.  

 Alerts from Microsoft Security providers are ingested, and security incidents are automatically created in Security Incident Response. 

 find_real_file.png

 

Comparison between Microsoft Azure Sentinel  and Microsoft Graph Security API integrations 

Microsoft Azure Sentinel  integration 

Microsoft Graph Security API integration 

Ingests Microsoft Azure Sentinel incidents along with entity information (when available) and automates security incident creation in SIR. 

 

Ingests alerts from multiple Security providers (including Azure Sentinel) in a standard schema and automates security incident creation in SIR. 

 

Supports bi-directional updates which include incident closure, incident status change (New), and synchronising comments. 

 

Supports alert updates (alert status change and alert closure) for selected security providers. 

Note: For more information on the Microsoft Graph Security API supported security providers, view the Microsoft documentation. 

 

Use this integration if your scenario includes the following conditions: 

  • Preliminary incident investigation is in Microsoft Azure Sentinel and subsequent investigation is in SIR.
  • Ingest Microsoft Azure Sentinel incidents to SIR .

 

Use this integration if your scenario includes the following conditions: 

  • Perform incident investigation in SIR. 
  • Ingest Microsoft Azure Sentinel alerts in SIR. 
  • Incidents are not created in Microsoft Azure Sentinel. 

 

Alert is an entity in Microsoft Azure Sentinel. You cannot retrieve standalone or specific alerts using the Microsoft Azure Sentinel Management API. You can only retrieve the alert data associated with an incident.

The Microsoft Azure Sentinel normalised alert data is available. The Microsoft Azure Sentinel alert fields that are mapped internally in Microsoft Graph Security API, and are available in Microsoft Graph Security API, are available for use in this integration. 

 

You cannot update alerts in Microsoft Azure Sentinel using this integration. 

 

You cannot update alerts in Microsoft Azure Sentinel using this integration. 

 

 

 

Preview file
294 KB
Preview file
401 KB
Preview file
36 KB
Preview file
294 KB
Preview file
36 KB
Preview file
294 KB
Preview file
401 KB
Preview file
294 KB
Preview file
471 KB
Preview file
359 KB
  • 3,524 Views
Comments
Jerzy Pa_ka
Tera Explorer
‎06-07-2023 04:26 AM

@Hareesh Namavar "Supports bi-directional updates which include incident closure, incident status change (New), and synchronising comments. " Is it really bi-directional as we can't find any option to auto close incidents in SN if they are closed in Sentinel

0 Helpfuls
Hareesh Namavar
ServiceNow Employee
ServiceNow Employee
‎06-07-2023 05:09 AM

Hi,

 

The integration is bi-directional with respect to the use cases that it was built for.

We do not close our security incidents from a third-party product ( not a recommended practice). We expect analysts to be working on SIR using it as a single pane of glass and a system of record. Imagine a scenario where an analyst is working on a security incident in SIR (in analysis/containment/any phase) and the incident gets closed abruptly. 
 
The right way to configure the integration on the SIR side is to ingest only those incidents that are escalated from Azure Sentinel and the ones that aren't worked on the Sentinel side.
 
Moreover, the fields (questionnaire, close code, closing reason, etc.) we have to fill in before closing a security incident can’t be accurately mapped to Azure Sentinel incidents. This affects the reporting and analysis on our side. There could be child or aggregated incidents associated with an incident and these would get closed automatically too (May not be a best practice). There could be ongoing collaboration across various teams (Ex: ITSM, Risk, Vulnerability, Threat Intelligence, etc.) and the tasks associated with them would get closed automatically too!
 
Our product documentation clearly explains the bi-directional support provided as part of the integration:
 
-Update the state of Sentinel incident whenever a security incident is created 
-Close the Azure Sentinel incident whenever a security incident is closed in SIR
-Comments from Azure Sentinel incident are synched to work notes of SIR
-Work notes of the SIR incident are synched to the Azure Sentinel incident.
0 Helpfuls
Jerzy Pa_ka
Tera Explorer
‎06-07-2023 06:21 AM

@Hareesh Namava Ok, second question When we Ingest Incidents from Sentinel i cant find any option to get all worknotes on Security incident creation in SIR (from Sentinel) sync is working but only after creation of servicenow incident. Is there any option to pull worknotes from sentinel created before creation of SIR incident ?

0 Helpfuls
Hareesh Namavar
ServiceNow Employee
ServiceNow Employee
‎06-07-2023 06:46 AM

Aug store release update of the integration will provide you with the ability to map the Azure Sentinel incident "Comments" entity and its associated fields to SIR fields. Your use case can be accomplished with this update!

0 Helpfuls
pratiksha5
Mega Sage
‎01-16-2024 05:40 AM

Hi, I am not able to find the subscription information.  What customer should be subscribed to use the application?

0 Helpfuls
Martin Dewit
Tera Guru
‎01-16-2024 06:19 AM

@pratiksha5 Could you clarify what you mean by subscription information? To be able to use the integration, you will need the Security Incident Response application which requires a license/subscription. I believe this Sentinel integration is free to install and use. During the Sentinel integration set up process, a "subscription ID" is required from your Registered Azure app for ServiceNow.

0 Helpfuls
Sourin1
Tera Contributor
‎02-15-2024 09:31 AM

Hello,

I'm new to this module and process. Just wanted to know few things, if anybody can answer these, that would be a great help.

- How can I migrate the existing playbooks present in sentinel to my servicenow SIR? Do I need to do this? Or should I follow the existing playbooks provided by ServiceNow.

- How orchestration coming into picture here? Lets say for a security incident of category phishing email, in the eradication phase I want to find and delete the emails from user mailbox. I see there is a button for search and delete, but how this work in the backend?

- For a use case where I want to block an IP or quarantine an email or deactivate an user account, how these can be achieved? Should I include these capabilities in my playbook or there is other way to do it. What is the best practice or how this is generally done?

- What is the difference between these two modules, Capabilities (Flow) and Capabilities?

 

Thanks,

Sourin

0 Helpfuls
Version history
Last update:
‎06-17-2021 11:26 PM
Updated by:
ServiceNow Employee